How to Comply with FSMA’s Intentional Adulteration Rule
In May 2016, the FDA finalized Mitigation Strategies to Protect Food Against Intentional Adulteration. The Intentional Adulteration Rule, or IA Rule, establishes new requirements focused on significantly minimizing acts of intentional adulteration intended to cause wide scale public health harm. Implementation of the IA Rule helps lower the overall risk of intentional adulteration and prevent those acts that may cause wide scale public health harm.
Large food manufacturers are already expected to be in compliance with the IA Rule. Mid-size food manufactures have their compliance date for the IA Rule in July 2020 with very small businesses complying by July 2021. The FDA stated that the first inspections for this rule were slated to begin in March 2020 with quick check inspections that are conducted as an extension of other inspections. However, COVID-19 challenged this approach and it is reasonable to assume that these quick check inspections will begin when FDA more fully resumes their inspection program.
Quick check inspections are anticipated to involve a short survey covering the basics of the IA Rule with questions like ‘do you have a written food defense plan’, ‘ have you conducted a vulnerability assessment’, and ‘can you show me those.’ The FDA has further stated that comprehensive inspections evaluating the details of the food defense plan are expected to begin in the mid-2020s.
How to Comply with the Intentional Adulteration Rule
To comply with the IA Rule, a food manufacturing facility must prepare a food defense plan. It must include a vulnerability assessment to identify actionable process steps and identification and explanation of mitigation strategies for each of these steps. The food defense plan must also contain management components including monitoring procedures, corrective actions, and verification procedures with identification of records to be kept for each. The IA Rule also includes training and reanalysis requirements. Let’s take a deeper look at the key requirements.
The vulnerability assessment is at the core of the IA Rule. The vulnerability assessment is a process to identify the points, steps, or procedures of highest risk in your facility. Points, steps, or procedures identified as highest risk are identified as actionable process steps.
To make the vulnerability assessment more manageable, the FDA enabled the ability to use key activity types to conduct the vulnerability assessment. The key activity types are:
Bulk Liquid Receiving
Loading Liquid Storage & Handling
Secondary Ingredient Handling
Mixing & Similar Activities
Under the key activity type vulnerability assessment, those points, steps, or procedures identified as key activity types are determined to be actionable process steps.
The outcome of your vulnerability assessment is identification of actionable process steps, or the steps that are highest risk in your facility for intentional adulteration.
Each actionable process step must have mitigation strategies identified to reduce the risk of intentional adulteration. These mitigation strategies are:
customized to each process step,
tailored to existing facility practices and procedures, and
specifically directed towards that actionable process step’s vulnerability including the possibility of an inside attacker.
Facilities have a lot of flexibility to identify and implement appropriate mitigation strategies. Mitigation strategies typically either reduce the accessibility of a product to the inside attacker and reduce the ability of that inside attacker to be successful. You have the flexibility to choose what works best in your facility at that specific step to mitigate the risk. Choose mitigation strategies specifically based on the risks and vulnerabilities assessments at each actionable process step.
As mitigation strategies are identified, multiple lower cost mitigation strategies may be as effective as a single more expensive mitigation strategy. The simpler the mitigation strategies are, the easier it’s going to be for your employees to follow it. Most importantly, mitigation strategies should not adversely affect food safety. Food safety is the number one priority.
Management Components and Records
For each mitigation strategy, the food defense plan must include monitoring procedures, corrective actions, and verification procedures. These will have a similar look and feel to similar components that you may have already applied from the preventive controls rule.
For monitoring procedures, consider what will be monitored, who will do it, and how and how often will it be monitored. Corrective actions are what will happen if the mitigation strategy is not applied correctly and verification procedures are how you will show that the mitigation strategy is reducing the vulnerability identified in the vulnerability assessment.
As with all regulatory compliance activities, records must be kept. These include the food defense plan, vulnerability assessment, mitigation strategies, food defense monitoring procedures, food defense corrective actions procedures, and food defense verification procedures. There is also a records requirement for training and reanalysis.
The IA Rule contains two main training requirements.
1. An employee and their supervisor assigned to an actionable process step must receive food defense awareness training and they must also receive training to properly implement the mitigation strategies. There are some readily available resources to help with these:
In addition, the Food Protection and Defense Institute has collaborated with Alchemy to launch a Food Defense Supervisor Awareness e-Learning Course which takes about an hour to complete.
2. Qualified individuals must perform four functions:
prepare a food defense plan
conduct a vulnerability assessment
identify and explain the mitigation strategies
reanalyze the food defense plan
Qualified individuals have successfully completed training for the specific function at least equivalent to FDA standardized curriculum or be qualified through job experience. Each facility has the option to have a single person qualified to perform all four functions or to utilize a team approach where multiple people qualified in one or more of the functions work together.
The Food Safety and Preventive Controls Alliance offers online courses for key activity type vulnerability assessment, mitigation strategies, management components, and an in-person fundamental element vulnerability assessment course.
The Food Protection and Defense Institute recognizes that not everyone can optimally learn in an online course. With that in mind, we provide instructor-led courses that cover key activity types, mitigation strategies, management components, and the broader concepts of food defense and the importance of building a food defense culture. We also have lead instructors that offer the FSPCA fundamental element vulnerability assessment course as part of our training program.
The final requirement of the IA Rule is the reanalysis requirement. The food defense plan must be reanalyzed every three years, at minimum, or if you make changes in your facility that affects vulnerability. For example, if you change the way you process a food or add a new production line or piece of equipment, those changes will have to be reanalyzed. In addition, if a mitigation strategy is found to be ineffective through monitoring and verification procedures, you must reanalyze that portion. Finally, the FDA might reach out to you and require you to conduct a reanalysis if there’s new information on specific vulnerabilities.
Compliance with the IA Rule may seem impossible, but working through these steps systematically is manageable and assistance is available. If you haven’t already, you may want to attend a training or access the FDA Food Defense resources including the Guidance for Industry. Your smartest strategy is to implement these new requirements now and adopt a continuous improvement approach to better protect your food supply for the foreseeable future!